Ali Lakdawala
AI Intelligence

Agents Learn Restraint

7 stories · ~7 min read

Agents Learn Restraint

If You Only Read One Thing

The new agent frontier is subtraction, not scale. Claude Code's latest changelog makes skills capable of denying tools, while MiniCPM5-1B puts long-context tool use into a 1B open model. Skills Become Sandboxes and MiniCPM Makes Local Enough point to the same deployment truth: useful agents are becoming smaller, narrower, and easier to contain.

Skills Become Sandboxes

Claude Code keeps adding autonomy, but the important new bit is a way to take power away from that autonomy.

The May 27 2.1.152 entry in the Claude Code changelog adds disallowed-tools to skills and commands, hot-reloads newly installed skills with /reload-skills, and lets /code-review --fix apply review findings directly to the working tree. The prior Claude Code skills model already had allowed-tools, but Anthropic's docs described that as a pre-approval mechanism: a skill could use listed tools without repeated prompts while baseline permissions still governed the rest. Denial is a different primitive. It turns a skill from a prompt package into a capability boundary.

Why it matters: agent safety is moving from global permission settings to workflow-local authority. The familiar model for coding agents is ambient authority: once the agent has shell, file-edit, MCP, browser, or network tools, every prompt has to be trusted not to misuse that same broad surface. A skill-level deny list says the opposite. The unit of trust is not "Claude Code in this repository"; it is "this review skill, this migration skill, this release skill, with these tools removed."

That becomes more important because /code-review --fix closes the loop between critique and mutation. A review-only command is a second opinion. A review command that edits the working tree is a repair agent, and repair agents need sharper boundaries than chat agents. The right way to read the release is not "Claude got another convenience flag." It is that Anthropic is making permission design part of the reusable workflow artifact.

There is a broader market signal here. Skills, hooks, permissions, MCP servers, and subagents are converging into a packaging layer for agent behavior. Once that layer can both grant and deny tools, marketplaces for skills stop being merely prompt libraries. They start looking like executable extensions with declared blast radii.

Room for disagreement: frontmatter is still only one enforcement surface. If project settings, MCP server behavior, or shell commands route around a skill's declared boundary, the model can look safer than the runtime actually is. The evidence that would settle this is a public skill manifest format that shows effective permissions after project settings, organization policy, and active skills are merged.

What to watch: watch whether popular Claude Code skill repositories begin advertising disallowed-tools diffs the way browser extensions advertise requested permissions. If they do, skill trust becomes a product surface rather than a README convention.

MiniCPM Makes Local Enough

The interesting claim in MiniCPM5-1B is not that a 1B model beats frontier systems. It does not. The interesting claim is that a 1B model is getting enough of the agent shape to become useful in the places where frontier models are too expensive, too remote, or too broad.

OpenBMB's MiniCPM5-1B model card describes a dense 1.08B-parameter Llama-style model with 24 layers, grouped-query attention, a 131,072-token context window, and both thinking and non-thinking chat modes from the same checkpoint. The release ships in practical formats: BF16, SFT-only, base, GGUF for llama.cpp, Ollama, and LM Studio, plus an MLX build for Apple Silicon. Artificial Analysis says the non-reasoning variant scored 17.9 on its Intelligence Index, the strongest result it has measured in the 1B open-weights class.

Why it matters: small local models used to be framed as privacy demos or hobbyist substitutes for real models. MiniCPM5-1B points at a more durable role: local control-plane work. A control-plane model does not need to solve the whole software task. It needs to classify, route, summarize, preflight, extract, format, validate, and call tools close to the data.

The 131K context number matters in that role because local agents often fail on context logistics before they fail on intelligence. They need to hold a config tree, a few logs, a set of local docs, or a tool transcript without sending all of it to an API. The model's published advantage in tool use, code generation, and reasoning within its size class is the right kind of advantage for that niche. It says the small model is not merely a chatbot squeezed onto a laptop; it is being optimized around agent work.

The strongest confirming signal is already downstream. A llama.cpp pull request merged on May 27 added MiniCPM5 tokenizer support for Hugging Face to GGUF conversion and inference. That is the difference between a model announcement and a model entering the local runtime supply chain. The more quickly small models show up in llama.cpp, MLX, Ollama, and desktop packaging, the less local inference depends on one lab's preferred demo path.

Room for disagreement: 1B remains small. Long context does not prove reliable long-context reasoning, and local inference formats do not prove good latency, memory use, or tool-call behavior after quantization. The model becomes more than a curiosity only if GGUF and MLX users can reproduce useful agent loops on ordinary laptops.

What to watch: watch for independent local-agent benchmarks that pair MiniCPM5-1B with llama.cpp or MLX, not cloud-hosted BF16 runs. The question is not whether it wins a leaderboard. It is whether it can become the cheap first pass before a frontier model is invoked.

The Contrarian Take

Everyone says: agent progress is about more context, stronger models, and longer autonomous runs.

Here's why that's wrong, or at least incomplete: the deployment bottleneck is becoming restraint. Claude Code's new direction is fewer tools per workflow, not just more agent capability. MiniCPM5-1B's promise is fewer parameters close to the task, not another universal model. OpenAI's workload identity release and Vercel's structured transport errors point the same way: production agents are becoming systems of scoped authority, explicit failure state, and cheap local delegation.

Under the Radar

  • API keys are being pushed out of agent infrastructure. OpenAI released workload identity federation, letting trusted workloads exchange externally issued identity tokens for short-lived OpenAI access tokens instead of storing long-lived API keys. This is invisible plumbing, but it changes the default failure mode for CI agents, background workers, and hosted eval jobs: the credential can expire with the workload instead of living forever in an environment variable.

  • Vercel is making agent failures branchable. The May 27 Vercel AI SDK releases added OpenTelemetry context around model calls and exposed statusCode, url, and responseBody on MCP HTTP transport errors. That matters because fallback logic should not parse error strings. It should branch on structured failure state when deciding whether to retry, degrade, or switch transports.

Quick Takes

  • Pydantic AI keeps turning provider quirks into typed surfaces. Pydantic AI v1.103.0 added list_prompts and get_prompt on McpServer, round-tripped Vercel UI message timestamps through metadata, supported OpenRouter's Anthropic eager-input streaming, and mapped Bedrock malformed model or tool output to FinishReason.error. The pattern is boring and valuable: provider weirdness becomes framework state instead of application folklore. (Source)

  • Claude Code adoption looks like boundary expansion, not only productivity. A new arXiv paper studies 5,838 GitHub developers and finds Claude Code adoption coincided with more monthly commits, more repositories, and more programming languages used. The paper is careful about identification limits, but the mechanism is plausible: agents lower the switching cost for unfamiliar stacks. (Source)

  • The MiniCPM path through llama.cpp is the practical signal. The merged llama.cpp tokenizer PR added MiniCPM5 support for Hugging Face to GGUF conversion and inference. Model cards are announcements; tokenizer and conversion support are distribution. Without that layer, local models remain downloadable artifacts rather than things real tools can route to. (Source)

The Thread

The thread is bounded capability. Claude Code is narrowing tools at the skill level. MiniCPM5-1B is narrowing model size around local agent jobs. OpenAI is narrowing credentials around workload identity. Vercel and Pydantic are narrowing ambiguous runtime failures into typed state. That is not a retreat from autonomy. It is what autonomy needs before it can move from impressive demos into ordinary engineering systems.

Predictions

New predictions:

  • I predict: By 2026-08-31, at least two public Claude Code skill collections with more than 5,000 GitHub stars or equivalent install distribution will add explicit disallowed-tools or permission-diff documentation to their skill READMEs or manifests. (Confidence: medium; Check by: 2026-08-31)

Generated: 2026-05-27 03:37 EDT

Tomorrow morning in your inbox.

Subscribe for free. 10-minute read, every weekday.